Overview :
An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway before 10.5 build 70.8, 11.x before 11.1 build 63.9, 12.0 before build 62.10, 12.1 before build 54.16, and 13.0 before build 41.28. An attacker with management-interface access can bypass authentication to obtain appliance administrative access. These products formerly used the NetScaler brand name.
Affected Product(s) :
  • Citrix ADC and Citrix Gateway version 13.0 build 41.28 and later
  • Citrix ADC and NetScaler Gateway version 12.1 build 54.16 and later
  • Citrix ADC and NetScaler Gateway version 12.0 build 62.10 and later
  • Citrix ADC and NetScaler Gateway version 11.1 build 63.9 and later
  • Citrix ADC and NetScaler Gateway version 10.5 build 70.8 and later
Vulnerability Details :
CVE ID :CVE-2019-18225
Authentication Bypass Vulnerability in the Management Interface of Citrix Application Delivery Controller and Citrix Gateway

This vulnerability affects the following product versions

Solution :

In order to exploit this vulnerability, an attacker would require access to the management interface of the Citrix ADC. In situations where customers have deployed their Citrix ADC and Citrix Gateway appliances in line with industry best practice, network access to this interface should already be restricted.

If the customer has previously changed the default internal user account or RPC node password in accordance with the guidelines in the Secure Deployment Guide, then this issue does not impact their deployment.